Detectionmediumtest
Potential Initial Access via DLL Search Order Hijacking
Detects attempts to create a DLL file to a known desktop application dependencies folder such as Slack, Teams or OneDrive and by an unusual process. This may indicate an attempt to load a malicious module via DLL search order hijacking.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
WindowsFile Event
ProductWindows← raw: windows
CategoryFile Event← raw: file_event
Events for file system activity including creation, modification, and deletion.
Detection Logic
Detection Logic2 selectors
detection:
selection:
Image|endswith:
# add more processes when you find them
- '\winword.exe'
- '\excel.exe'
- '\powerpnt.exe'
- '\MSACCESS.EXE'
- '\MSPUB.EXE'
- '\fltldr.exe'
- '\cmd.exe'
- '\certutil.exe'
- '\mshta.exe'
- '\cscript.exe'
- '\wscript.exe'
- '\curl.exe'
- '\powershell.exe'
- '\pwsh.exe'
TargetFilename|endswith: '.dll'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
TargetFilename|contains:
# add more suspicious paths when you find them
- '\Microsoft\OneDrive\'
- '\Microsoft OneDrive\'
- '\Microsoft\Teams\'
- '\Local\slack\app-'
- '\Local\Programs\Microsoft VS Code\'
filter:
Image|endswith: '\cmd.exe'
TargetFilename|contains|all:
- '\Users\'
- '\AppData\'
- '\Microsoft\OneDrive\'
- '\api-ms-win-core-'
condition: selection and not filterFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Rule Metadata
Rule ID
dbbd9f66-2ed3-4ca2-98a4-6ea985dd1a1c
Status
test
Level
medium
Type
Detection
Created
Fri Oct 21
Author
Path
rules/windows/file/file_event/file_event_win_initial_access_dll_search_order_hijacking.yml
Raw Tags
attack.privilege-escalationattack.persistenceattack.t1566attack.t1566.001attack.initial-accessattack.t1574attack.t1574.001attack.defense-evasion